All Apps and Add-ons

nix_errors casting too wide a net?

michaelgardner
Explorer

Splunk newbie question, I think.

We have a medium-sized heterogeneous (in terms of OS) environment. We are getting non-errors reported with the "nix_errors" eventtype and also the "nix-log-files" eventtype, though the log files are actually on a Windows server. These eventtypes are defined from the "Splunk for Unix and Linux" App.

The "nix_errors" eventtype is defined as:

NOT sourcetype=stash error OR critical OR failure OR fail OR failed OR fatal

What's the proper way for me to handle this? Suppressing the eventtype throws out too much.

  • Change the definition of the eventtypes in the Manager? (Will my changes be lost on an upgrade?) I think I would add an os_type tag and then reference that in the eventtypes.

  • um .... leave it as is?

  • Better option that I'm not aware of?

I don't want to uninstall the App. It's useful elsewhere.

Thanks,
Mike

0 Karma
1 Solution

araitz
Splunk Employee
Splunk Employee

The nix_errors eventtype is too broad, agreed. You could do a few things:

  1. Turn off global sharing for this eventtype in Manager
  2. Change the eventtype to be scoped to your unix data (e.g. index=os sourcetype=stash error OR ...)

View solution in original post

araitz
Splunk Employee
Splunk Employee

The nix_errors eventtype is too broad, agreed. You could do a few things:

  1. Turn off global sharing for this eventtype in Manager
  2. Change the eventtype to be scoped to your unix data (e.g. index=os sourcetype=stash error OR ...)

michaelgardner
Explorer

Thanks, araitz. The removal of the global scope for the eventtypes has really cut down the noise.

Aside: exptremely tedious to change the 100+ *NIX eventtypes via the GUI. I'm sure there was a better way via the .conf files. Planning to enroll in some Splunk Admin courses.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...